Currently I am hardening a SQL Server 2012 instance after having already hardened the Windows Server 2008 R2 system on which it is installed. The rules for hardening system components to DoD standards are known as STIGs (Security Technical Implementation Guides). I am not a certified Windows engineer but I was able to fully STIG the server. Last Thursday was the first time I had ever installed SQL Server 2012 so on Friday I not only began the STIG process but I wrote an app to help me document the process. See below:
The problem with the SQL STIG list is it requires the use of SQL scripts for most guidelines, and the guidance in the STIG documents in most cases gives bad (non-working) example scripts. For this reason I have to research every requirement and come up with totally new scripts to test for the specific guideline condition on the STIG item, then come up with a fix for any failures.
Since I don’t want to ever do this again, I designed this app to allow me to record the condition, the result, the suggested test/fix scripts, and my actual test/fix scripts. The log of my experience is captured in SQL Server. The app will export it to XML, then an XSLT script that will output the findings filtered by fixed/open/can’t-be-fixed as a clean document which I will add to our internal wiki.
Our contacts in the DoD tell us that it takes certified MS SQL admins weeks to apply this STIG list. It will take me about the same, and when I’m done I will have produced a document which will cut the next STIG application at least in half.